How to revoke an openssl certificate when you don't have the certificate

StackOverflow https://stackoverflow.com/questions/9496698

  •  14-11-2019
  •  | 
  •  

Question

I made an openssl certificate signed by the CA created on the local machine.

This certificate was deleted and I don't have it anymore.

It is impossible to create another certificate with the same commonName because openssl doesn't allow it and will generate the error:

failed to update database
TXT_DB error number 2

How can I revoke the certificate to create another one with the same commonName ?

Was it helpful?

Solution

(Based on Nilesh's answer) In the default configuration, openssl will keep copies of all signed certificates in /etc/ssl/newcerts, named by its index number. So grep /etc/ssl/index.txt to obtain the serial number of the key to be revoked, e.g. 1013, then execute the following command:

openssl ca -revoke /etc/ssl/newcerts/1013.pem #replacing the serial number

The -keyfile and -cert mentioned in Nilesh's answer are only required if that deviates from your openssl.cnf settings.

Alternatively you can also change /etc/ssl/index.txt.attr to contain the line

unique_subject = no

to allow multiple certificates with the same common name. If you have published the original certificate, revoking the old one is however the preferable solution, even if you don't run an OSCP server or provide CRLs.

OTHER TIPS

I haven't tried this but it looks like you need something like this.

openssl ca -revoke bad_crt_file -keyfile ca_key -cert ca_crt

openssl automatically saves a copy of your cert at newcerts directory. You may want to check it to retrieve your certificate. Unfortunately you need a certificate present to revoke it. See the following for details: http://www.mad-hacking.net/documentation/linux/security/ssl-tls/revoking-certificate.xml

Like the other answers say, openssl CA usually keeps a copy of signed certificates in a subdirectory (newcerts or certs, or keys with easyrsa. Look for new_certs_dir definition in the openssl.cnf file of your authority or -outdir option in the scripts).

Thus, the canonical way of doing is something along :

openssl ca -config openssl.cnf -revoke newcerts/hello-world.pem

However, I add this answer to note that, with current versions, openssl ca -revoke ... seems to only update the index.txt file (it will nevertheless ask for the private key password, which is questioned there) so if you really don't have any certificate backup but still have the index.txt or some way to retrieve the serial number, you can look up / make up the certificate line and change it :

# before
V   291008172120Z       6DB67443D7E6C2D95D6E2F7F264C05F944964049    unknown /C=FR/CN=coucou.com
# after
R   291008172120Z   191011172218Z   6DB67443D7E6C2D95D6E2F7F264C05F944964049    unknown /C=FR/CN=coucou.com

# Format is 6 fields, tab-separated, and filename is usually 'unknown' :
# CRL doesn't contain nor need the subject so if unavailable, just make up something close
V/R/E   expiration-date revocation-date serial-number   filename    subject

(tested with OpenSSL 1.1.1c. On some other version/environment, serial number can be much shorter)

The openssl ca -config openssl.cnf -gencrl -crldays 30 -out crl.pem will be the actual step to revoke the certificate, producing a signed list using the private key of the authority.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top